29 



The Existence of Refinement 
Mappings 



Martm Abadi and Leslie Lamport 



August 14, 1988 



Systems Research Center 



dec's business and technology objectives require a strong research program. 
The Systems Research Center (SRC) and three other research laboratories 
are committed to filling that need. 

SRC began recruiting its first research scientists in 1984 — their charter, to 
advance the state of knowledge in all aspects of computer systems research. 
Our current work includes exploring high-performance personal computing, 
distributed computing, programming environments, system modelling tech- 
niques, specification technology, and tightly- coupled multiprocessors. 

Our approach to both hardware and software research is to create and use 
real systems so that we can investigate their properties fully. Complex 
systems cannot be evaluated solely in the abstract. Based on this belief, 
our strategy is to demonstrate the technical and practical feasibility of our 
ideas by building prototypes and using them as daily tools. The experience 
we gain is useful in the short term in enabling us to refine our designs, and 
invaluable in the long term in helping us to advance the state of knowledge 
about those systems. Most of the major advances in information systems 
have come through this strategy, including time-sharing, the ArpaNet, and 
distributed personal computing. 

SRC also performs work of a more mathematical fiavor which complements 
our systems research. Some of this work is in established fields of theoretical 
computer science, such as the analysis of algorithms, computational geome- 
try, and logics of programming. The rest of this work explores new ground 
motivated by problems that arise in our systems research. 

DEC has a strong commitment to communicating the results and experience 
gained through pursuing these activities. The Company values the improved 
understanding that comes with exposing and testing our ideas within the 
research community. SRC will therefore report results in conferences, in 
professional journals, and in our research report series. We will seek users 
for our prototype systems among those with whom we have common research 
interests, and we will encourage collaboration with university researchers. 



Robert W. Taylor, Director 



The Existence of Refinement Mappings 

Martin Abadi and Leslie Lamport 
August 14, 1988 



111 



©Digital Equipment Corporation 1988 



This work may not be copied or reproduced in whole or in part for any com- 
mercial purpose. Permission to copy in whole or in part without payment 
of fee is granted for nonprofit educational and research purposes provided 
that all such whole or partial copies include the following: a notice that 
such copying is by permission of the Systems Research Center of Digital 
Equipment Corporation in Palo Alto, California; an acknowledgment of the 
authors and individual contributors to the work; and all applicable portions 
of the copyright notice. Copying, reproducing, or republishing for any other 
purpose shall require a license with payment of fee to the Systems Research 
Center. All rights reserved. 



IV 



Author's Abstract 

Refinement mappings are used to prove that a lower-level specification cor- 
rectly implements a higher-level one. We consider specifications consisting 
of a state machine (which may be infinite-state) that specifies safety re- 
quirements, and an arbitrary supplementary property that specifies liveness 
requirements. A refinement mapping from a lower-level specification Si to 
a higher-level one S2 is a mapping from S^'s state space to S2's state space. 
It maps steps of Si's state machine to steps of S2's state machine and maps 
behaviors allowed by Si to behaviors allowed by S2. We show that, un- 
der reasonable assumptions about the specifications, if Si implements S2, 
then by adding auxiliary variables to Si we can guarantee the existence of 
a refinement mapping. This provides a completeness result for a practical, 
hierarchical specification method. 

Capsule Review 

This report deals with the problem of proving that implementations satisfy 
their specifications. Suppose, for example, that a client asks a circuit fabri- 
cator to build a box with S inside and with certain external signals (inputs 
and outputs). The circuit fabricator returns later with an epoxy brick that 
has an appropriate number of wires sticking out for the external signals, but 
that actually contains not S but some other ciruit /. In order to guarantee 
that the client cannot detect the substitution without breaking open the 
brick (and thereby voiding the warranty), the fabricator must be sure that 
for any possible behavior of / there corresponds at least one behavior of S 
that produces identical external signals. 

In some cases, such a correspondence between behaviors can be proved 
using a refinement mapping, a function that maps states of / to states of 
S and that satisfies certain conditions. The refinment mapping technique 
reduces a problem of proving something about arbitrary behaviors to one of 
proving something about single state transitions. Unfortunately there are 
many cases in which a correct implementation / cannot be related to its 
specification 5 by a refinement mapping. 

This report shows that it is possible in a very large class of cases to 
augment a legal implementation with some extra state components (history 
and prophecy variables) in a way that places no constraints on the behavior 
of the implementation but that makes it possible to produce an appropriate 
refinement mapping to the specification. This result broadens considerably 
the domain of applicability of the refinement mapping technique. 
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1 Introduction 



1.1 Specifications 

A system may be specified at many levels of abstraction, from a description 
of its highest-level properties to a description of its implementation in terms 
of microcode and circuitry. We address the problem of proving that a lower- 
level specification is a correct implementation of a higher-level one. 

Unlike simple programs, which can be specified by input /output rela- 
tions, complex systems can be adequately specified only by describing their 
behaviors — that is, their possible sequences of inputs and outputs. We con- 
sider specification methods in which a behavior is represented by a sequence 
of states and a system is specified by a set of permitted behaviors. Input 
and output are represented in the state — for example, by including a key- 
board state describing which keys are currently depressed and a screen state 
describing what is currently displayed. 

A specification should describe only the externally visible components 
of a system's state. However, it is often helpful to describe its behavior in 
terms of unobservable internal components. For example, a natural way to 
specify a queue includes a description of the sequence of elements currently 
in the queue, and that sequence is not externally visible. Although internal 
components are mentioned, the specification prescribes the behavior of only 
the externally visible components. The system may exhibit the externally 
visible behavior 

((eo, ei, 62, ... )) 

where ei is a state of the externally visible component, if there exist states 
yi of the internal component such that the complete behavior 

{{{eo,yo), (ei,yi), (62,^/2), • • • » 

is permitted by the specification. (We use (( )) to denote a sequence.) 

A specification may allow steps in which only the internal state compo- 
nent changes — for example, a sequence 

{{{eo,yo), (ei,yi), {ei,y[), {ei,y'{), (62,^/2), •••» 
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Such internal steps are not externally visible, so the sequence of external 
states ((eo, ei, ei, ei, 62, . . .)) should be equivalent to the sequence ((eo,ei, 
62,...)) obtained by removing the "stuttering" steps from ei to ei. Let 
r((eo, ei, . . .)) be the set of all sequences obtained from ((eo, ei, . . .)) by re- 
peating states and deleting repeated states — that is, by adding and remov- 
ing finite amounts of stuttering. We consider only specifications in which 
a sequence ((eo, ei, . . .)) is allowed only if all sequences in r((eo, ei, . . .)) are 
allowed. Such specifications are said to be invariant under stuttering. 

The behaviors permitted by a specification can be described as the set 
of sequences satisfying a safety and a liveness property [AS86, Lam77]. In- 
tuitively, a safety property asserts that something bad does not happen and 
a liveness property asserts that something good does eventually happen. 
In specifying a queue, the safety property might assert that the sequence 
of elements removed from the queue is an initial prefix of the sequence of 
elements added to the queue. The liveness property might assert that an 
operation of putting an element into the queue is eventually completed if 
the queue is not full, and an operation of removing an element from the 
queue is eventually completed if the queue is not empty. (What operations 
are in progress and what elements they are adding to or have removed from 
the queue would be described by the externally visible state.) 

We are concerned with specifications in which the safety property is de- 
scribed by an "abstract" nondeterministic program; a behavior satisfies the 
property if it can be generated by the program. Liveness properties are 
described either directly by writing axioms or indirectly by placing fairness 
constraints on the abstract program. In a specification of a queue, the pro- 
gram describes the sequence of actions by which an element is added to or 
removed from the sequence of queued elements, ensuring the safety property 
that the correct elements are removed from the queue. Additional fairness 
constraints assert that certain actions must eventually occur, ensuring the 
liveness property that operations that should complete eventually do com- 
plete. 

Many proposed specification methods involve writing programs and 
fairness conditions in this way [LS84, Lam83, LT87]. (Some methods do 
not consider liveness at all and just specify safety properties with 
programs.) 

To describe specifications formally, we represent a program by a state 
machine (whose set of states may be infinite) and we represent the fairness 
constraints by an arbitrary supplementary condition. For our results, it does 
not matter if the supplementary condition specifies a liveness property. 
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1.2 Proving That One Specification Implements Another 

A specification implements a specification S2 if every externally visible 
behavior allowed by Si is also allowed by 82- To prove that Si implements 
S2, it suffices to prove that if Si allows the behavior 

(((ec^^o), {ei,zi), (62,2:2), • • • » 

where the Zi are internal states, then there exist internal states yi such that 
S2 allows 

(((eo,yo), (ei,yi), (62,2/2), • • • )) 

In general, each yi can depend upon the entire sequence (((eo, ^^o), (^i, ^^i), 
(^2, -2^2), • • •))? a-nd proving the existence of the yi may be quite difficult. The 
proof is easier if each yi depends only upon Ci and Zi, so there exists a 
function / such that (e„ y^) = f(e,,Zi). To verify that {{f(eo,zo),f(ei,zi), 
7(^2, -2^2), ••• )) satisfies the safety property of S2, it suffices to show that 
/ preserves state machine behavior — that is, it maps executions of Si's 
state machine to executions (possibly with stuttering) of S2's state ma- 
chine. Proving that / preserves state machine behavior involves reasoning 
about states and pairs of states, not about sequences. Verifying that / 
preserves liveness — meaning that ((/(eo, ^^o), /(^i, ^^i), /(e2, 2^2), • • •)) satisfies 
the liveness property of S2 — usually also requires only local reasoning, with 
no explicit reasoning about sequences. A mapping / that preserves state 
machine behavior and liveness is called a refinement mapping. 

In the example of a queue, the internal state yi of specification S2 might 
describe the sequence of elements currently in the queue, and the internal 
state Zi of specification Si might describe the contents of an array that im- 
plements the queue. To prove that Si implements S2, one would construct 
a refinement mapping / such that f(ei,Zi) = (ei,yi), where yi describes the 
state of the queue that is represented by the contents of the array described 
by state Zi. 

Several methods for proving that one specification implements another 
are based upon finding a refinement mapping [LS84, Lam83]. In practice, 
if Si implements S2, then these methods usually can prove that the im- 
plementation is correct — usually, but not always. The methods fail if the 
refinement mapping does not exist. Three reasons why the mapping might 
not exist are: 

• S2 may specify an internal state with "historical information" not 
needed by Si. For example, suppose S2 requires that the system 
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display up to three of the least-significant bits of a three-bit clock. 
This specification is implemented by a lower-level specification Si that 
alternately displays zero and one, with no internal state. A refinement 
mapping does not exist because there is no way to define the internal 
state of a three-bit clock as a function of its low-order bit. 

• S2 may specify that a nondeterministic choice is made before it has 
to be. For example, consider two specifications and S2 for a sys- 
tem that displays ten nondeterministically chosen values in sequence. 
Suppose S2 requires that all values be chosen before any is displayed, 
while Si requires each value to be chosen as it is displayed. Both 
specifications describe the same externally visible behaviors, so each 
implements the other. However, S2 requires the internal state to con- 
tain all ten values before any is displayed, while Si does not specify 
any internal state, so no refinement mapping is possible. 

• S2 may "run slower" than Si. For example, let Si and S2 both specify 
clocks in which hours and minutes are externally visible and seconds 
are internal. Suppose that in S2 each step increments the clock by 
one second, while in Si each step increments the clock by ten seconds. 
Both specifications allow the same externally visible behaviors. To 
show that S2 implements Si, we can use the refinement mapping / 
that rounds the time down to the nearest multiple often seconds. For 
any complete behavior ((sq, si, S27 • • •)) allowed by S2, the behavior 
((/(•^o), /(si), /(s2)7 • • •)) is a complete behavior allowed by Si that 
contains nine "stuttering" steps for every step that changes the state. 

On the other hand, a complete behavior ((sq, si, S27 • • •)) specified by 
Si may produce an externally visible change every six steps. For any 
mapping /, the sequence ((/(sq), /(si), /(s2)7 • • •)) may also produce 
an externally visible change every six steps. This is not allowed by S2, 
which requires fifty-nine internal steps for every externally visible one. 
Hence, no refinement mapping can prove that Si implements S2. 

If a refinement mapping does not exist, it can often be made to exist 
by adding auxiliary variables to the lower-level specification. An auxiliary 
variable is an internal state component that is added to a specification with- 
out affecting the externally visible behavior. The three situations described 
above in which refinement mappings cannot be found are handled as follows: 

• Historical information missing from the internal state specified by Si 
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can be provided by adding a history variable — a well-known form of 
auxiliary variable that merely records past actions [Owi75]. 

• If S2 requires that a nondeterministic choice be made before it has to 
be, then can be modified so the choice is made sooner by adding 
a prophecy variable. A prophecy variable is a new form of auxiliary 
variable that is the mirror image of a history variable — its formal def- 
inition is almost the same as the definition of a history variable with 
past and future interchanged, but there is an asymmetry due to be- 
haviors having a beginning but not necessarily an end. 

• If S2 runs slower than Si, then an auxiliary variable must be added 
to Si to slow it down. We will define prophecy variables in such a way 
that they can perform this slowing. 

Our main result is a completeness theorem. It states that, under three 
hypotheses about the specifications, if Sj implements S2 then one can add 
auxiliary history and prophecy variables to Si to form an equivalent spec- 
ification S^^ and find a refinement mapping from S^^ to S2. The three 
hypotheses, and their intuitive meanings, are: 

51 is machine closed. Machine closure means that the supplementary prop- 

erty (the one normally used to specify liveness requirements) does not 
specify any safety property not already specified by the state machine. 
In other words, the state machine does as much of the specifying as 
possible. 

52 has finite invisible nondeterminism. This denotes that, given any finite 

number of steps of an externally visible behavior allowed by S2, there 
are only a finite number of possible choices for its internal state com- 
ponent. 

S2 is internally continuous. A specification is internally continuous if, for 
any complete behavior that is not allowed, we can determine that it is 
not allowed by examining only its externally visible part (which may 
be infinite) and some finite portion of the complete behavior. 

We will show by examples why these three hypotheses are needed. 

We will prove that any safety property has a specification with finite 
invisible nondeterminism, any specification of a safety property is internally 
continuous, and any property has a machine- closed specification. Therefore, 
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our completeness theorem implies that if the specifications are written in a 
suitable form and S2 specifies only a safety property then one can ensure 
that a refinement mapping exists. We will also show that, even when S2 
is not internally continuous, a refinement mapping exists to show that Si 
satisfies the safety property specified by 82- Therefore, by writing suitable 
specifications, refinement mappings can always be used to prove the safety 
property of a specification if not its liveness property. We do not know if 
anything can be said about proving arbitrary liveness properties. 

Throughout this report, proofs are written in a self-explanatory struc- 
tured format. The format permits very careful proofs that can be read to 
any desired level of detail by ignoring lower-level statements. Writing proofs 
in this format helped us to eliminate many errors and greatly increased our 
confidence in the correctness of the results. 

A glossary /index of notations and conventions appears at the end of this 
report, along with an index. We hope they will help the reader cope with 
the formalism. 

2 Preliminaries 

2.1 Sequences 

We now define some useful notations for sequences. In these definitions, 
a denotes the sequence ((sq, si, S27 • • •)) and r denotes the sequence ((^0,^1, 
^2, • • •))• These sequences may be finite or infinite. If a is finite, we let \\a\\ 
denote its length and last(a) denote its last element, so ||((so7 • • • , Sm-i))]! = 
m and last({{so, . . . , Sm-i))) = Sm-i- An infinite sequence is said to be 
terminating iff (if and only if) it is of the form ((sq, si, . . . , s„, s„, s„, . . .)) — 
in other words, if it reaches a final state in which it stutters forever. 

As usual, a mapping on elements is extended to a mapping on sequences 
of elements by defining g((j) to equal {{g(so), g(si), . . .)), and to a mapping 
on sets of elements by defining g(S) to equal {g(s) : s G S}. 

The sequence a is said to be stutter-free if, for each i, either Si 
or the sequence is infinite and Si = Sj for all j > i. Thus, a nonterminating 
sequence is stutter-free iff it never stutters, and a terminating sequence is 
stutter-free iff it stutters only after reaching its final state. We define 1](T 
to be the stutter-free form of a — that is, the stutter-free sequence obtained 
by replacing every maximal finite subsequence Sj, . . . , Sj of identical 
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elements with the single element Si. For example, 

^((0,1,1,2,2,2,3,3,3,3,4...)) = ((0,1,2,3,4,...)) 

We define ci ~ r to mean that l](T = l]r, so(T~rifF(T and r are equivalent 
up to stuttering, and we define Ta to be the set {r : r ~ cr}. If 5 is a set 
of sequences, T(S) is the set {t : 3a £ S.t G Ta}. A set of sequences S is 
closed under stuttering [{ S = T(S). Thus, S is closed under stuttering iff 
for every pair of sequences a, t with ci ~ r, if ci G S then t £ S . 

We use "•" to denote concatenation of sequences — that is, if \\a\\ = m, 
then a-T = {{sq, . . . , Sm-i,to,ti, ■ ■ ■)) ■ If > m, we let a\m denote 
((so, si, . . . , Sm-i)), the prefix of a of length m. 

For any set S, let T,^ denote the set of all infinite sequences of elements 
in S. An infinite sequence (((Tq, (Ti, (T27 • • •)) of sequences in S'^ is said to 
converge to the sequence a in T,^ iff for all m > 0 there exists an ra > 0 
such that ai\m = cr\m for all i > n. In this case, we define lim cTj- to be a. 
This definition of convergence gives rise to a topology on T,^ . We now recall 
some other definitions. 

Let a be an element of S'^ and let 5 be a subset of S'^. We say that a is 
a limit point of S iff there exist elements ai in S such that lim ai = a. The 
set S is closed iff S contains all its limit points. The closure of S , denoted 
S , consists of all limit points of S; it is the smallest closed superset of S . 

2.2 Properties 

We can only say that one specification implements another if we are given 
a correspondence between the externally visible states of the two specifica- 
tions. For example, if S2 asserts that the initial value of a particular register 
is the integer —3 and asserts that the register's initial value is the se- 
quence of bits 1111100, then we can't say whether or not Si implements 
S2 without knowing how to interpret a sequence of bits as an integer. In 
general, to decide if Si implements S2, we must know how to interpret an 
externally visible state of Si as an externally visible state of S2. Given such 
an interpretation, we can translate Si into a specification with the same 
set of externally visible states as S2. Thus, there is no loss of generality in 
requiring that Si and S2 have the same set of externally visible states. 

We therefore assume that all specifications under consideration have the 
same fixed set T,e of externally visible states. A state space S is a subset 
of T,E X S/ for some set S/ of internal states. We let 11^ be the obvious 
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projection mapping from X S/ onto S^. The set itself is considered 
to be a state space for which 11^ is the identity mapping. 

If S is a state space, then a T,-behavior is an element of T,^ . A T,e- 
behavior is called an externally visible behavior. A T, -property P is a set 
of S-behaviors that is closed under stuttering. A S^-property is called 
an externally visible property. If P is a S-property, then n^(P) is a set 
of externally visible behaviors but is not necessarily an externally visible 
property because it need not be closed under stuttering. The externally 
visible property induced by a S-property P is defined to be the set r(n^(P)). 

If S is clear from context or is irrelevant, we use the terms behavior 
and property instead of S-behavior and S-property. We sometimes add the 
adjective "complete", as in "complete behavior", to distinguish behaviors 
and properties from externally visible behaviors and properties. 

A property P that is closed (P = P) is called a safety property. In- 
tuitively, a safety property is one asserting that something bad does not 
happen. To see that our formal definition of a safety property as a closed 
set captures this intuitive meaning, observe that if something bad happens, 
then it must happen within some finite period of time. Thus, P is a safety 
property iff, for any sequence a not in P, one can tell that a is not in P by 
looking at some finite prefix a\i of a. In other words, ci ^ P iff there exists 
an i such that for all r if T\i = a\i then t ^ P. Hence, ci G P iff for all i 
there exists a Ti £ P such that Ti\i = a\i. But lim Ti = a, which implies that 
a £ P; thus, a £ P iS a £ P. Therefore, P satisfies the intuitive definition 
of a safety property only if P = P. 

Even though we do not use the formal definition, it is interesting to note 
that a S-property L can be defined to be a liveness property iff it is dense in 
T,^ — in other words, if P = T,^ . This means that P is a liveness property iff 
any finite sequence of elements in S can be extended to a behavior in L. In 
a topological space, every set can be written as the intersection of a closed 
set and a dense set, so any property P can be written as M f] L, where M 
is a safety property and P is a liveness property. Moreover, M can be taken 
to be P. 

2.3 Specifications 

A state machine is a triple (S,P, A) where 

• S is a state space. (Recall that this means S C T,e X S/ for some set 
S/ of internal states.) 
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• F, the set of initial states, is a subset of S. 

• N , the next-state relation, is a subset of S X S. (Elements of N are 
denoted by pairs of states enclosed in angle brackets, like {s,t).) 

The (complete) property generated by a state machine (T,,F,N) consists of 
all infinite sequences ((sq, si, • • •)) such that sq £ F and, for all i > 0, either 
(sj, G iV or Si = This set is closed under stuttering, so it is a 

S-property. The externally visible property generated by a state machine is 
the externally visible property induced by its complete property. 

We now show that the complete property P generated by a state machine 
is a safety property. This requires proving that if lim ai = a and each Ui G P, 
then a £ P. For any behavior r = ((so,si, . . .)) and any j > 0, let be 
the terminating behavior ((sq, si, . . . ,Sj,Sj,Sj, . . .)). Then r is in P iff each 
is in P. Since limcij- = a, each equals ((Jiy for some i. Since each ai 
is in P, each ((Jiy is in P, which implies that a is also in P. Hence, P is 
closed, so the complete property generated by a state machine is a safety 
property. However, we will show in Section 3 that the externally visible 
property generated by a state machine need not be a safety property. 

A state machine (S, P, N) is a familiar type of nondeterministic automa- 
ton, where P is the set of starting states and N describes the possible state 
transitions. (However, remember that S may be an infinite set.) The set of 
sequences generated (or accepted) by such an automaton is usually defined 
to be the set A of all sequences starting with a state in P and progressing by 
making transitions allowed by N . However, we also allow stuttering transi- 
tions, so we have defined the property generated by the state machine to be 
T(A) together with all terminating sequences obtained from finite prefixes 
of behaviors in T(A) by infinite stuttering. 

A specification S is a four-tuple (T,, F, N , F), where (S,P, A) is a state 
machine and P is a S-property, called the supplementary property of the 
specification. The property M generated by the state machine (S,P, A) 
is called the machine property of S. The (complete) property defined by 
S is defined to be M f] L, and the externally visible property defined by S 
is defined to be r(H^(M fl P)), the externally visible property induced by 

M n P. 

State machines are easier to work with than arbitrary sets of sequences, 
so one would like to specify a property purely in terms of state machines. 
However, the complete property generated by a state machine is a safety 
property. The supplementary property of a specification is needed to in- 
troduce liveness requirements. However, if we were to place no additional 
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requirement on our specifications, we could use the supplementary property 
to do all the specifying. To see why this leads to trouble, let S2 be a specifi- 
cation consisting of any arbitrary state machine that generates an externally 
visible safety property O together with the trivial supplementary property 
that contains all behaviors. Define to be the specification with state space 
TiE whose state machine is the trivial one that generates all S^-behaviors 
and whose supplementary property is O. Obviously Si implements S2. 
The existence of a refinement mapping from Si to S2 implies that Si's 
state machine implements S2's state machine. However, Si has the trivial 
state machine and no internal state. As we will see, auxiliary variables are 
added to a specification's state machine without affecting or being affected 
by the supplementary property. (This is what makes the addition of aux- 
iliary variables practical.) No sound method of adding auxiliary variables 
can transform the trivial machine into one that implements an arbitrary 
state machine. Therefore, we need some constraint on the supplementary 
property. 

In practice, we specify a desired property P by writing P as the inter- 
section M n i of a safety property M and a liveness property L. We try to 
construct L so that it does not specify any safety property, meaning that 
it does not rule out any finite behavior. More precisely, we try to choose L 
to be a liveness property such that any finite sequence of states generated 
by the state machine is the prefix of a behavior in P. For our results, it 
is not necessary that i be a liveness property; we need only require that 
L does not specify any safety property not implied by M. To express this 
requirement formally, we say that a specification S having machine property 
M and supplementary property L is machine closed iff M = M fl i. 

The following lemma implies that, for a machine- closed specification, we 
can ignore the supplementary property and consider only the state machine 
when we are interested in finite portions of behaviors. 

Lemma 1 If M = P, then every prefix of a behavior in M is the prefix of 
a behavior in P. 

Proof of Lemma 1 

Given: Al. M = P. 
A2. a e M. 
A3, m > 0. 

Prove: CI. There exists t £ P such that r|m = cr\m- 
Pf: 1. Choose ai G P such that lim cTj- = a. 
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Pf: Al, A2, and the definition of P. 

2. Choose ra > 0 such that, for all i > n, (Ji\m = '^\m- 
Pf: Definition of convergence. 

3. CI holds. 

Pf: Let T be (T„. 
End Proof of Lemma 1 

The converse of this lemma is also true when M is generated by a state 
machine, but we will not need it. 

2.4 Refinement Mappings 

A specification implements a specification S2 iff the externally visible 
property induced by Si is a subset of the externally visible property induced 
by S2. In other words, implements S2 iff every externally visible behavior 
allowed by Si is also allowed by S2. 

A refinement mapping from a specification Si = (Si, _Fi, Ai, ii) to a 
specification S2 = (T,2, F2, N2, L2) is a mapping / : Si ^ S2 such that 

Rl. For all s G Si: n^(/(s)) = n^(s). (/ preserves the externally visible 
state component.) 

R2. /(-Fi) ^ F2. if takes initial states into initial states.) 

R3. If {s,t) e Ni then {f(s),f(t)) G A2 or f(s) = f(t). (A state transition 
allowed by Ai is mapped by / into a [possibly stuttering] transition 
allowed by A2.) 

R4. /(-Pi) C L2, where Pi is the property defined by Si. (/ maps be- 
haviors allowed by Si into behaviors that satisfy S2's supplementary 
property.) 

Conditions R1-R3 are local, meaning that they can be checked by reasoning 
about states or pairs of states rather than about behaviors. Condition R4 is 
not local, but checking it is simplified by the fact that / is not an arbitrary 
mapping on sequences, but is obtained from a mapping on states. Thus, one 
can apply local methods like well-founded induction to prove R4. 

Proposition 1 If there exists a refinement mapping from Si to S2, then 
Si implements S2. 
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Proof of Proposition 1. 

Given: Al. S; = (T,i, Fi, Ni, Li), for i = 1,2. 

A2. Mi is the machine property of S;, for i = 1,2. 
A3. / is a refinement mapping from Si to S2. 
A4. i]e T{IIe{Mi n Li)) 
Prove: CI. t] e T(IIe{M2 ^ L2)). 
Pf: 1. /(Ml) C M2. 

Given: Al.l. a = {{sq, si, . . .)) G Mi. 
Proue: Cl.l. f{a) G M2. 
P/: 1.1. /(so) G P2. 

P/: By Al.l, A2, the definition of machine property (which per- 
mits stuttering), A3, and property R2 in the definition of 
refinement mapping. 

1.2. For all i > 0: (/(s,), /(s,+i)) G N2 or /(s,) = /(s,+i)- 

Pf: By Al.l, A2, the definition of machine property, A3, and 
property R3. 

1.3. Cl.l holds. 

Pf: By 1.1, 1.2, the definition of f((j) (it equals ((/(sq), 
/(si), . . .))), A2, and the definition of machine property. 

2. /(Ml n Pi) c M2 n P2. 

Pf: By 1, A3, and R4, since g(S n P) C g(S) n g(T) for any sets S 
and P and any mapping ^. 

3. Choose a = ((sq, si, . . .)) G Mi fl Pi such that n^((T) ~ 77. 
Pf: Such a ci exists by A4 and the definition of T. 

4. IlEifia)) = IIe{(t). 
Pf: By A3 and Rl. 

5. IlEifia)) ~ 77. 
Pf: By 3 and 4. 

6. IlEifia)) G ni,(M2 n P2). 
Pf: By 3 and 2. 

7. CI holds. 

P/: By 5,6, and the definition of T. 
End Proof of Proposition 1. 

3 Finite Invisible Nondeterminism 

The machine property M of a specification is a safety property. However, the 
property that is really being specified by the specification's state machine 
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is the externally visible property r(n^(M)) induced by M . The following 
example shows that this externally visible property is not necessarily a safety 
property. 

Let TiE be the set N of natural numbers, and define the state machine 
(S,F,iV)by: 

• S equals X N. 

• F equals {(0,0)}. 

• iV is the union of the following two sets: 

- {((0,0),(l,n)):nGN}, 

— {((m, ra + 1), (m + 1, ra)) : m, ra G N}. 

A stutter-free behavior of this machine starts in state (0,0), goes to state 
(l,ra) for some arbitrary ra > 0, then goes through the sequence of states 
(2, ra — 1), (3, ra — 2), . . . , {n — i-\-l, i) for some i > 0, and terminates (stutters 
forever) in the state (ra — i + 1, i). 

The set of externally visible behaviors induced by this state machine 
consists of all sequences obtainable by stuttering from a sequence of 
the form ((0, 1, 2, . . . , ra, ra, ra, . . .)). This set is not closed, because lim = 
((0, 1, 2, 3, . . .)), and ((0, 1, 2, 3, . . .)) is not in the set. The externally visible 
property specified by this state machine is the conjunction of two properties: 

1. The set of all behaviors that start in state 0 and change state only by 
adding 1 to the previous state. 

2. The set of terminating behaviors. 

The first property is a safety property, but the second is a liveness property; 
their intersection is neither a safety nor a liveness property. 

The purpose of a specification is to specify an externally visible property. 
We feel that the externally visible property specified by a state machine 
should be a safety property, so we want to restrict the class of allowed state 
machines. 

The reason the externally visible property defined by the state machine 
in our example is not a safety property can be traced to the existence of 
infinitely many state transitions ((0, 0), (1, ra)) that correspond to the same 
externally visible transition (0, 1). It is this type of infinite invisible nonde- 
terminism that allows the introduction of liveness into the externally visible 
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property of a state machine. To ensure that a state machine specifies only 
safety properties, we must restrict it to having finite invisible nondetermin- 
ism. 

Instead of defining the concept of finite invisible nondeterminism for a 
state machine, it is more general to define it for a property. A state machine 
is defined to have finite invisible nondeterminism iff the property it generates 
does. 

Definition 1 Let P be a property and O its induced externally visible prop- 
erty r(n^(P)). We say that P is fin finitely invisibly nondeterministic^ 
iff for all T] £ O and all n > 0, the set 

{^ia\m) : (m > 0) A (d G P) A iIlEia\m) ^ ??U)} 

is finite. We say that a specification is fin iff the complete property of the 
specification is fin. 

In other words, property P is fin iff every finite prefix i]\n of any exter- 
nally visible behavior r] is the projection of only finitely many inequivalent 
(under ~) finite prefixes a\m of complete behaviors a in P. 

If a property M is fin then every stronger property P is also fin. (Prop- 
erty P is stronger than property M iff P C M .) In our main theorem, 
instead of requiring that the state machine of S2 is fin, we make the weaker 
assumption that S2 is fin. This is strictly weaker only if S2 is not machine 
closed, since a machine- closed specification is fin iff its state machine is fin. 

The following proposition asserts that the externally visible property 
of a fin state machine is a safety property. It is a simple corollary of the 
subsequent lemma, which will be used later as well. 

Proposition 2 If a safety property P is fin, then the externally visible prop- 
erty r(n^(P)) that it induces is also a safety property. 

Lemma 2 (Closure and nondeterminism) Let property P be fin and let 

O be the externally visible property that it induces. If S is a limit point of O 
then there is a limit point p of P such that n^(/>) ~ S. 

Proof of Lemma 2 

Given: Al. P is fin. 

A2. O = T{IIe{P)). 

A3. ^ is a limit point of O. 
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Prove: CI. There exists p such that: 

Cla. is a limit point of P. 
Clb. IIe{p) ~ S. 

Pf: 1. Let 0„ equal {^(dU) : (m > 0) A (ci G P) A {IIe{(t\^) ~ ^U)}. For 
all ra, the set 0„ is finite. (0„ is the set of stutter-free prefixes of 
behaviors in P that are externally equivalent to S\n.) 
Pf: By A3, we can choose r] £ O such that r]\n = S\n. Statement 1 
then follows from Al and Definition 1. 

2. For all ra, the set 0„ is nonempty. 

Pf: 2.1. Choose r] £ O such that r]\n = S\n. 

Pf: A3 implies the existence of r]. 

2.2. Choose a £ P such that IIe((t) ~ rj. 

Pf: A2 and definition of F imply the existence of a. 

2.3. There exists m such that n^((T|m) — i]\n. 
Pf: 2.2 and the definition of ~. 

2.4. G 0)17 so 0„ is nonempty. 

Pf: a e P (by 2.2), and IlE{(T\m) ^ S\n (by 2.3 and 2.1), so 2.4 
follows from 1 (the definition of 0^). 

3. For finite sequences a and r, let ci ^ r iff there is a (possibly empty) 
sequence x such that t = a ■ x- For ah n and all 9 G 0n+i there 
exists 9' G 0„ such that 9' ^ 9. 

Pf: By 1 (the definition of 0^), since if r|m — ^U+i, then there 
exists m' < m such that r|m' — 6\n- 

4. There is an infinite sequence pi ^ P2 ^ P?, ^ ■ ■ ■ with each pi G Qi- 
Pf: By 1, 2, 3 and Konig's Lemma [Knu73, pages 381-383]. 

5. For all i, choose p'- such that: 

5a. p'^ ~ p,. 
5b. \\p[\\ > i. 

5c. p[<p'2<p'3<.... 

Pf: The existence of the p'- is proved by induction using 4, where 
the length of p'- is increased by stuttering the last element when 
necessary. 

6. Let Pi be an element of P such that p'- is a prefix of pi. 

Pf: Since pi G 0i (by 4), the definition of Qi (1) implies that there 
exists a stutter-free sequence tpi G P such that /Jj- is a prefix of t/^j-. 
By 5a and the assumption that P (like all properties) is invariant 
under stuttering, pi can be obtained by adding stuttering to tpi. 

7. Let p equal lim pi. 

Pf: p exists by 6 (p[ a prefix of pi), 5b, and 5c. 
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8. Cla holds. 

Pf: Follows immediately from 7, 6 (pi G P), and the definition of 
limit point. 

9. For every i there exists an m > i such that IiEiPi\m) — 
Pf: 5a, 5b, 6, 4 (pi G ©i), and 1 (the definition of 0j). 

10. limn£;(;5;) ~ s. 

Pf: Follows immediately from 9. 

11. Clb holds. 

Pf: By 6 (pi G P), 7, and 10, since lim .^j- = ^ implies limn^(,^j) = 

^e{0 ■ 
End Proof of Lemma 2 

For a state machine to be fin, it may not make an infinite nondetermin- 
istic choice unless all but a finite part of that choice is immediately revealed 
in the externally visible state. We can weaken our definition by requiring 
only that the choice eventually be revealed. Formally, this means defining a 
property P with induced externally visible property O to be fin iff for every 
T] m O and ra > 0 there exists an ra' > ra such that the set 

{^(dU) : (m > 0) A (cT G P) A (IlEia\ m) — Vln) 
A 3m' : {IlE{(^\m') - v\n')} 

is finite. However, using this weaker definition of finite invisible nonde- 
terminism would require somewhat more powerful prophecy variables and 
would complicate our proofs, so we will stick with our original definition. 

4 Safety Properties 

Alpern and Schneider [AS87] and others have observed in the finite-state 
case that there is a correspondence between state machines and externally 
visible safety properties. We extend their results to the infinite-state case 
for state machines with finite invisible nondeterminism. We also prove a 
result that allows us to apply our completeness theorem to safety properties 
even when the internal continuity hypothesis defined later is not satisfied. 

Proposition 2 implies that the externally visible property generated by 
a fin state machine is a safety property. We now prove the converse. 

Proposition 3 Every externally visible safety property can be generated by 
a state machine with finite invisible nondeterminism. 
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Proof of Proposition 3 

Given: Al. O is a S^-property. 
A2. 0 = 0. 

Prove: CI. There exists a state machine (T,,F,N) generating a (complete) 
property M such that 

Cla. M is fin. 

Clb. O C T{IIe{M)). 

Clc. T{IIe{M)) C O. 
Pf: 1. Define the state machine (T,,F,N) as follows: 

• S = {(last(9\n),0\n) : n > 1 A 9 £ O}. (S consists of all pairs 
(gj-, ((eo, ei, . . . , gj))) such that ((eo, ei, . . . , Cj)) is a prefix of a 
sequence in O.) 

• F = {(e, ((e))) G S}. (The starting states are ones whose inter- 
nal components have length one.) 

• iV = {((e, h), (e', h ■ ((e')))) G S X S} (The machine can go from 
state (e„ ((eo, . . - ,6,))) only to state (e^+i, ((eo, . . .,e,,e,+i))) for 
some ej_|_i.) 

2. A stutter-free sequence (((eo, ho), (ei, /ii), . . .)) is in M iff, for all i > 0, 
hi = ((eo,ei, . . .,ej)) and there exists t^j- G O such that /ij- = 

Pf: Follows easily by induction from the definition of the state ma- 
chine (T,,F,N) and of the property that it generates. 

3. Cla holds. 

Pf: By Definition 1, we must show that for any r] £ O and all ra > 0 
the set 

{^(dU) : (m > 0) A (d G M) A iIlEia\m) ^ ??U)} 
is finite. However, it follows from 2 that if 77 = ((eo, ei, . . . )) then 
this set contains only the single element 

(((eo, ((eo))), (ei, ((eo, ei))), . . . , (e„_i, ((eo, . . . , e„-i))))) 

4. Clb holds. 

Pf: For any r] = ((eo, ei, . . .)) in O, statement 2 implies that a = ((..., 
(ei, r]\i^i), . . .)) is in M , and obviously n^((T) = r]. 

5. IIe{M) C O. 

Given: A5.1. {{(eo, ho), (ei, hi), . . .)) e M . 
Prove: C5.1. ((eo, ei, . . .)) G O. 

Pf: 5.1. For all i > 0 choose r]i G O such that i]i\i^i = {{eo, ■ ■ ■ , ei)). 
Pf: By 2, the r]i exist. 
5.2. lim?7^ = ((eo,ei, . . .)). 

Pf: Follows immediately from 5.1. 
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5.3. C5.1 holds. 

Pf: By 5.1 (which asserts that r]i G O), 5.2, A2, and the defini- 
tion of O. 

6. Clc holds. 

Pf: By 5 and the assumption that O is a property (Al), so T(0) = O. 
End Proof of Proposition 3 

If specification S2 is not internally continuous, it is possible for it to be 
implemented by a specification Si without there being a refinement mapping 
from Si to S2. (Internal continuity was mentioned in the introduction and 
will be defined formally in Section 6.) However, since safety properties are 
internally continuous, we would expect to be able to prove that, whenever Sj 
implements S2, the externally visible machine property of Si implements 
the externally visible machine property of S2. Combined with our main 
theorem, the following result shows that this is always possible if Si is 
machine closed and the machine property of S2 is fin. 

Theorem 1 (Separate safety proofs) Let Pi = Mi fl Li and P2 = M2 fl 

L2, where the Li are arbitrary properties and the Mi are safety properties; 
and let Oi and Of^ he the externally visible properties induced by Pi and Mi, 
respectively. If Mi = 1\, M2 is fin, and Oi C O2, then C O^. 

Proof of Theorem 1 

Given: Al. For i = 1,2: 

Ala. P, = M, n L,. 
Alb. M, closed. 
Ale. O, = T{IlE{Pi)). 
Ald^f = T{IlE{Mi)). 
A2. Ml = Pi. 
A3. M2 is fin. 
A4. Oi C 02- 

Prove: CI. Of C Of. 

Pf: 1. For any set Q of behaviors T(Q) C T(Q). 
Given: Al.l. a G T(Q) . 
Prove: Cl.l. a G T{Q). 

Pf: 1.1. There exists a' £ Q such that a' ~ a. 
Pf: Al.l and the definition of F. 
1.2. There exists a function r such that, for all i > 0, a\i ~ cr'\r(i)- 
Pf: 1.1 and the definition of ~. 
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1.3. For all i > 0 there exists t' G Q such that t'\^^^^ = 
Pf: Definition of Q and 1.1. 

1.4. a\, ~ r/|^(,). 
Pf: 1.2 and 1.3. 

1.5. For each i, let t' = {{ti^o,ti^i, . . .)) and define Ti to equal a\i ■ 

((^«,r(0'^«,r(0+i' • • •))• Then t, ~ r/. 
Pf: 1.4. 

1.6. r, G r(g). 

P/: r, ~ r/ (by 1.5), r/ G Q (by 1.3), and the definition of F. 

1.7. lim Ti = a. 

Pf: By 1.5 and the definition of convergence. 

1.8. Cl.l holds. 

Pf: 1.6, 1.7, and the definition of closure. 

2. For any set Q of behaviors n^(Q) C IIe(Q). 
Given: A2.1. i] G IIe(Q) - 

Prove: C2.1. 77 G HeIq). _ 

Pf: 2.1. There exists a £ Q such that 77 = n^((T). 
P/: A2.1. 

2.2. For ah i > 0 choose Ti in Q such that TjIj- = a\i. 
Pf: 2.1 and the definition of Q. 

2.3. For all i > 0, ni^(r,)|, = 

Pf: 2.1 and 2.2, since n^('(/'|j) = (IlEi'<p))\i for any sequence tp. 

2.4. iie{t,) g ni^(g). 

P/: By 2.2 (r, G Q). 

2.5. C2.1 holds. 

Pf: By 2.3, which implies limn^(rj) = 77, and 2.4. 

3. Of C 07. _ 
Pf: 3.1. Of = F(ni,(iY)). 

Pf: A2 and Aid . 

3.2. 07=F(ni,(Pi)). 
Pf: Ale. 

3.3. IIe(I\) C IIe{Pi). 
Pf: 2. 

3.4. Of C F(ni,(Pi)) 

Pf: 3.1, 3.3, and monotonicity of F. 

3.5. F(IT^) C F(ni,(Pi)). 
Pf: 1. 

3.6. 3 holds. 
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Pf: 3.4, 3.5, and 3.2. 

4. 07 C O^. 

Pf: A4 and monotonicity of the closure operation. 

5. O2 C Of. 

Pf: Ala, Ale, Aid, and the monotonicity of 11^ and T. 

6. 07 C Of. 

Pf: 5 and monotonicity of closure. 

7. Of = Of. 

P/: Alb, Aid, A3, and Proposition 2. 

8. CI holds. 

Pf: 3, 4, 6, and 7. 
End Proof of Theorem 1 

5 Auxiliary Variables 

Although in practice refinement mappings usually exist, they do not always 
exist. To construct a refinement mapping, it may be necessary to add auxil- 
iary variables. We now formally define two types of auxiliary variables: the 
well-known history variable and the new prophecy variable. These auxiliary 
variables are added to a specification's state machine; the supplementary 
property is essentially left unchanged. 

5.1 History Variables 

Adding a history variable means augmenting the state space with an ad- 
ditional component T,h and modifying the state machine in such a way 
that this additional component records past information but does not af- 
fect the behavior of the original state components. Formally, a specifica- 
tion S'^ = {T.^,F^,N^,L^) is said to be obtained from the specification 
S = (T,, F, N , L) by adding a history variable iff the following five condi- 
tions are satisfied. In these conditions, we identify (S^ X S/) X T,h with 
TiE X (S/ X Tiff) (so HI implies that T,^ is a state space), and we let ^[h] 
be the obvious projection mapping from S X T,h onto S. (In the intuitive 
explanation, we say that a S'^-behavior a simulates the S-behavior Il^fj-^^a).) 

HI. S'^ C S X S/j for some set S/j. 

H2. Il^fj-^(F^) = F. (A state in S is an initial state of S iff it is the first 
component of an initial state of S'^.) 
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H3. If G then G iV or s = s'. (Every step of 

S'^'s state machine simulates a [possibly stuttering] step of S's state 
machine.) 

H4. If G N and G T.^ then there exists h' G S/j such that 

{(s,h),(s',h')) G iV''. (From any state, S'^'s state machine can simu- 
late any possible step of S's state machine.) 

115. L'' = nj^j(i). (A S'^-behavior is in L'' iff the S-behavior that it 
simulates is in L.) 

The following result shows that adding a history variable leaves an im- 
plementation essentially unchanged. 

Proposition 4 (Soundness of history variables) IfS^ is obtained from 
S by adding a history variable, then the two specifications define the same 
externally visible property. 

Proof of Proposition 4 

Given: Al. S = {i:,F,N,L), = {T.^ , , , L^), and H1-H5 hold. 

A2. M and are the machine properties of S and S'', respectively. 

A3. P = MnL and = r\ . 

A4. O = T{IIe{P)) and O'' = T{IIe{P'')). 
Prove: CI. O'' C O. 

C2. O C O''. 
Pf: 1. Il[H]{M'^) C M. 

Pf: Follows from A2, Al (conditions 112 and 113), and the definition 
of the machine property of a specification. 

2. n[^](p'^) c p. 

Pf: From A3, 1, and 115, since g(Sr\F) C g(S )r\g(F) for any function 
g and sets S and F. 

3. CI holds. 

Pf: From 2, A4, and the fact that IlEiIi[H]is)) = n£;(s) for any 
s G S''. 

4. P C Il[H]{P''). 

Given: A4.1. a = ((sq, si, . . .)) in P. 

Prove: C4.1. There exists r G P^ such that n[/j](r) = a. 
Pf: 4.1. So G P and, for all i > 0, (s^s^+i) G A. 

P/: A3 and the definition of machine property. 
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4.2. For all i > 0 choose hi inductively such that (so,/io) G and 

{(s,,hi),(s,+i,h,+i)) e N^. 

Pf: The existence of ho follows from 4.1 (sq G F) and H2; for 
i > 0, the existence of hi^i follows from 4.1 ((sj-, Si+i) G N) 
and H4. 

4.3. Let T = (((so, /io), (si, hi), ...)). Then t e . 

Pf: 4.2, A2, and the definition of machine property. 

4.4. n[^](r) = a. 

Pf: By definition of r (4.3). 

4.5. r G L^. 

Pf: 4.4, H5, and A4.1. 

4.6. C4.1 holds. 

Pf: 4.5, 4.3, and A3, which imply that t e P^ , and 4.4. 
5. C2 holds. 

Pf: From 4, A4, the monotonicity of F and 11^, and the fact that 
J1e{^[H]{s)) = IIe{s) for any s G 
End Proof of Proposition 4 

5.2 Simple Prophecy Variables 

A prophecy variable is the dual of a history variable; its definition is almost 
that of a history variable with time running backwards. Intuitively, whereas 
a history variable records past behavior, a prophecy variable guesses future 
behavior. Using notation similar to that used in defining history variables, 
we define a specification SP = (T,''^ , F''^ , N''^ , L''^) to be obtained from S = 
(T,, F, N , L) by adding a prophecy variable iff the following conditions are 
satisfied. (Conditions P2' and P4' will be replaced in Section 5.3.) 

PI. C S X Sp for some set Sp. 

P2'. F^ = Il^p^(F). (This is the expected correspondence between the 
initial states of the two specifications.) 

P3. If {{s,p),{s',p')) G NP then {s,s') G A or s = s'. (Every step of 
SP's state machine simulates a [possibly stuttering] step of S's state 
machine.) 

P4'. If {s,s') G N and (s',p') G then there exists p G Sp such that 
{(s,p),(s',p')) G N'P. (From every state in T,'p, the state machine of 
SP can take a backwards step that simulates any possible backwards 
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step of S's state machine. This is the time-reversed version of condition 
H4.) 

P5. L'P = n^^j(i). (The supplementary property of SP is the set of behav- 
iors that simulate behaviors in the supplementary property of S.) 

P6. For all s G S, the set n^^j(s) is finite and nonempty. (To every state 
of S there corresponds some nonzero finite number of states of SP.) 

Condition P6 is the only one not corresponding to any condition for history 
variables. It is needed because time reversal is asymmetric — all behaviors 
have initial states but only terminating behaviors have final states. The 
second example below indicates why it is needed. 

We now give two examples to illustrate the definition of prophecy vari- 
ables. We mention only the state machines; the supplementary property can 
be taken to be the trivial one containing all behaviors. 

For our first example, we take a state machine that nondeterministically 
generates an integer between 0 and 9. To do this, the machine counts up by 
one until it either decides to stop or else reaches 9, at which point it stutters 
forever. The set T,e of externally visible states is the set N of natural 
numbers, and the internal state component is a Boolean that becomes true 
when the final value is reached. (The Boolean values are written t and f .) 

• S = N X {t,f}. 

• ^ = {(o,f)}. 

• iV is the union of the following two sets: 

- {((^-l,f),(^,f)):0<^<10}, 

- {((^,f),(^,t)):^GN}. 

The set of stutter-free behaviors generated by this state machine consists of 
all sequences of the forms 

(((0, f), (1, f), . . . , (n, f), (n, t), (n, t), (n, t), . . .)) 

and 

(((0,f),(l,f),...,(n,f),(n,f),(n,f),...)) 

with 0 < ra < 10. 

We now add a prophecy variable whose value is a natural number. This 
variable "predicts" the maximum number of nonstuttering steps that the 
state machine will take. The precise definition of the new state machine is: 
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• Ti'P is the union of the following two sets: 

- {(i,f,i):0<i, 0<i, andi+i< 10}, 

- {(«,t,0) : 0 < i < 10}. 

. = {(0,f,j)GSf}. 

• N'P is the union of the following two sets: 

- {((^-l,f,J + l),(^,f,J)>GSf xSn, 

- {((^,f,0),(^,t,0))GS^'xSf}. 

The reader can check that the conditions P1-P4' and P6 given above are 
satisfied. (Condition P5 is satisfied if L and L'^ are the trivial properties 
that contain all behaviors.) Observe that although condition P4' is satisfied, 
condition H4 is not. The state machine can take a backwards step from the 
state (6,f, 0) but not a forward step. 

The only stutter-free behaviors of (T,''^ , F''^ , N''^) starting from the state 
(0, f , n) are of the forms 

(((0, f, n), (1, f, n - 1), . . . , (n, f , 0), (n, t, 0), (n, t, 0), . . .)) 

and 

(((0, f, n), (1, f, ra - 1), . . . , (i, f, ra - i), {i, i,n-i),.. .)) 

with 0 < i < n. The set of externally visible behaviors generated by the 
two state machines is the same; the stutter-free behaviors have the form 
((0, 1, . . . , ra, ra, ra, . . .)) for some n less than 10. State machine (S, F, N) de- 
cides nondeterministically when it is going to stop counting, while in state 
machine (T,^, F^, N^) this choice is made by the initial value of the prophecy 
variable. 

As our second example, replace "10" by "oo" in the definitions of the 
two state machines. Conditions P1-P4' still hold, but P6 does not; for each 
state (i,f) of S there are an infinite number of states (i,f, j) in T,^. The 
externally visible stutter-free behaviors of (T,^ , F^ , N^) consist of sequences 
of the form ((0, 1, . . . , ra, ra, ra, . . .)) for any natural number n. The state ma- 
chine (T,,F,N) generates all these behaviors plus the additional behavior 
((0,1,2,3,...)) that never terminates. Because the finiteness condition P6 
is not satisfied, adding the auxiliary variable changed the specification by 
ruling out this nonterminating behavior — effectively adding a liveness con- 
dition. 
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We can use our last example to indicate why we need the hypothesis 
of finite invisible nondeterminism for our completeness theorem. Let S2 
be the specification consisting of the state machine (T,^ , , N^) we just 
constructed (the one with "10" replaced by "00") and the trivial supple- 
mentary property containing all S^'-behaviors. Let be the specification 
with state machine (T,,F,N) and supplementary property L consisting of 
all terminating behaviors. Both specifications define the same set of exter- 
nally visible behaviors — all behaviors obtainable by stuttering from ones of 
the form ((0, 1, . . . , ra, ra, n)). To construct a refinement mapping, we would 
have to add to a prophecy variable that "guesses" the value of the last 
component of a state of T,''^. However, no such prophecy variable can be 
constructed that satisfies P6, since for any starting state of there are an 
infinite number of corresponding starting states of S2. 

The complete property P2 defined by this specification S2 is a safety 
property, and we will see that this implies that S2 is internally continuous. 
Moreover, specification is machine closed. Nevertheless, adding auxiliary 
variables to Si will not allow us to construct a refinement mapping to prove 
that it implements S2. Our completeness theorem does not apply because 
P2 is not fin. 

In this example, the prophecy variable we wanted to add would not 
satisfy P6. However, the supplementary property happened to ensure that 
adding the prophecy variable did not change the externally visible behavior. 
If we were to replace P6 by the weaker requirement that SP have the same 
externally visible property as S, then we could find a refinement mapping. 
However, this requirement is precisely what we had to prove in the first 
place — namely, that Si implements S2. 

5.3 Prophecy Variables That Add Stuttering 

We now generalize our definition of a prophecy variable to allow it to intro- 
duce stuttering. Condition P2' asserts that a state (s,p) G T,''^ is an initial 
state of SP's state machine iff s is an initial state of S's state machine. We 
relax this condition by requiring only that such a state (s,p) be reachable 
from an initial state by steps that simulate stuttering steps. Formally, we 
replace P2' by: 

P2. (a) H[p](Ff) C F. 

(b) For all G Il^p^{F) there exist po,pi, . . . ,pn = p such that 

(s,po) G F'P and, for 0 < i < n, G N'p. 
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Similarly, we relax condition P4' by allowing SP's state machine to sim- 
ulate the step in S's state machine from state s to state s' by a sequence 
of ra + 1 steps, the last n of which simulate stuttering steps. The precise 
condition that replaces P4' is: 

P4. If (s, s') G N and (s' ,p') G T,^ then there exist p, Pq, . . . , p'^-n v'n — P' 
such that {s',p'o)) G NP and, for 0 < i < n, (•5',P'+i)> e 

As with history variables, the addition of prophecy variables leaves an 
implementation essentially unchanged. 

Proposition 5 (Soundness of prophecy variables) If is obtained 
from S by adding a prophecy variable, then the two specifications define 
the same externally visible property. 

Proof of Proposition 5 

Given: Al. S = {T.,F,N,L), = , PP , Np , LP), and P1-P6 hold. 

A2. M and MP are the machine properties of S and SP, respectively. 

A3. P = MnL and PP = MP f] LP. 

A4. O = T{IIe{P)) and Qp = T{IIe{Pp)). 
Prove: CI. Qp C O. 

C2. O C QP. 
Pf: 1. CI holds. 

Pf: The proof is identical to the proof of the corresponding condition 
for history variables in Proposition 4. 

2. PC n[p](pf). 

Given: A2.1. a = {{sq, si, . . .)) G P. 

Prove: C2.1. There exists t £ PP such that n[p](r) ~ a. 
Pf: 2.1. Let Q be the directed graph with 
Nodes: the set J^p X N. 

Edges: there is an edge between ((si,p),i) and ((sj,p'),j) iff 
j = i + 1 and either (si,p) = or there exist 

Po,Pi, ...,pn=p' in Sp such that (s^+i,po)> G NP 

and, for all 0 < A; < ra, {(s^+i,pk),(s^+i,pk+i)) G A?'. 

Let Q' be the subgraph of Q reachable from nodes of the form 

((so,p),0). Then Q' is acyclic, with finite branching and a finite 

set of sources. 

Pf: It is obviously acyclic, since there is an edge from ((s,p),i) 
to ((s',p'), i') only if i' = i + 1. Its sources are all the nodes 
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of the form ((so,p), 0). For each j, P6 implies that there are 
only a finite set of p such that G S'', so Q' has a finite 

set of sources and is finitely branching. 

2.2. For all ra > 0 and all G T,''^ there exist elements po, . . . , 
Pn-i in Sp such that ((((so,po), 0), . . . , ra))) is a path in 
a'. 

Pf: The proof is by induction on ra. The case ra = 0 is trivial. 
For ra > 0, condition P4 implies the existence of the required 
Pn-i, and the induction hypothesis provides po, . . . , Pn-2- 

2.3. Choose elements pi G Sp such that ((((sqjPo), 0), ((si,pi), 1), 
. . .)) is an infinite path in Q'. 

Pf: The existence of this path follows from 2.1, 2.2, and Konig's 
Lemma. 

2.4. Let p = {{(so,po), . . .,(si,pi), . . .)). Choose a sequence p' = 
{{{so,Po),. . .,{s[,p'i),. . .)) such that: 

2.4a. Il[P]{p') ~ (T. 

2.4b. For all^^ > 0: {{s[,p'i),{s[^„p[^,)) G or {s[,p'i) = 

2.4c. (so,Po) = (50, Po). 
P/: Let p' be the supersequence of p obtained by inserting 
between is,,pi) and (s,+i,p,+i) the sequence (((5^+1,^0), 
(sj_|_i,p^), . . . , (sj_|_i,p^_-^))) of elements in T,''^ whose exis- 
tence is guaranteed by 2.3 and the definition of edges in 
g' (2.1). (Recall that a = ((sq, si, . . .)).) 

2.5. Choose r = (((^o, ^o), (^i, Qi), ■ ■ •)) such that: 

2.5a. n[p](r) ~ a. 

2.5b. For all i > 0: ((i„ g,), (i,+i, g,+i)) G Np or (i„g,) = 

2.5c. (io,go) G Ff. 
Pf: By A2.1, we have sq G -F. By P2, there exists a finite 
sequence (((so,Po), . . ., (so,p"))) of elements in T,'p such that 
(so,p(,') G FP, each ((so,^:'), (5o,p:'+i)) G iV^, and p'^ = po- 
Let T = {{{so,Po),. . .,{so,Pn-i))) -p'- 

2.6. r G MP. 

P/: By A2, 2.5b, and 2.5c. 

2.7. r G pf . 

P/: By A3, 2.6, and P5. 

2.8. C2.1 holds. 
Pf: 2.7, 2.5a. 
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3. C2 holds. 

Pf: From 2, A1-A4, and the fact that IlEiIi[P]it)) = IlEit) for any 

t e 

End Proof of Proposition 5 

6 Internal Continuity 

We now define internal continuity, which appears in the third hypothesis of 
our main theorem. But first, we give an example that indicates why the 
hypothesis is needed for our completeness theorem. 

Let TiE = N, let rn be the terminating sequence ((0, 1, . . . , i, i, i, . . .)), 
and let r] be the nonterminating sequence ((0, 1,2,.. .)). Let ((eo, ei, . . .)) X a; 
denote the sequence (((eo, a;), (ei, s), . . .)). We construct a specification S2 
that defines the property whose stutter-free sequences consist of all sequences 
rii X t together with the sequence r] X i. Formally, S2 = (T,2, F2, N2, L2), 
where 

• S2 = N X {t,f}. (The internal component is a Boolean.) 

• F2 = {(0, t), (0, f)}. (Behaviors start with their visible components 
equal to 0.) 

0 N2 = {((i, 5), (i + 1,5))}. (The external component is incremented by 
1 and the internal component remains constant.) 

• L2 consists of all behaviors except ones of the form ci X f with a 
terminating, and ci X t with a nonterminating. 

The externally visible property O2 defined by S2 consists of the behaviors 
r]i, the behavior 77, and all behaviors obtained from them by stuttering. 
Specification S2 is fin and machine closed. 

The externally visible property O2 is also defined by the simpler specifi- 
cation Si = (Si, _Fi, iVi, ii), where 

• Si = S^ = N. (There is no internal component.) 

• Fi = {0}. (All behaviors start at 0.) 

• Ni = 1)}. (The state is incremented by 1.) 

• Li = Si (the trivial property that allows all behaviors). 
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Obviously, implements 82- Let S^* = [Y^^, , Nf, L^) be any specifica- 
tion obtained from Si by adding a prophecy variable. We now show that 
there does not exist a refinement mapping from S^* to S2; in fact there does 
not exist any mapping from to S2 that proves that S^* implements 82- 

Let be the property defined by S^*. We show by contradiction that 
there does not exist any mapping / : ^ S2 such that (i) n^(/(i,p)) = i 
and (ii) /(-Pf) C P2. For each i let r]'- G be a behavior with n[p](?7') ~ r]i. 
Moreover, P5 implies that we can choose r]'- to have no repeated nonfinal 
states, meaning that for j < i and k > 1, there is no segment (j, ^2), 

. . . , (j,Pk))) of T]'- with pi = Pk- By (i), we then have that for every i and 
m with i < m there is an / such that np(?7^|;) ~ J^ili+i- Moreover, P6 
and the absence of repeated nonfinal states imply that for each i there is an 
integer 7r(i) > i such that / < 7r(i) for all such m. We can choose vr so that 
7r(i + 1) > •/r(i) for all i. 

For any ra, the set {?7j|7r(ra)} is finite (by P6). Therefore, we can induc- 
tively construct the sequence 9n of length 7r(ra) such that 9n is a prefix of 
infinitely many of the r]j and is also a prefix of 9n+i- Let r]' = lim 9n', then 
IlEii]') — 1]. Since each 9n is a prefix of some r]j, clearly r]' is in the machine 
property of S^*. Property P5 then implies that rj' G . By definition of rj'-, 
assumption (ii) implies that /(?]') ~ x t, which implies that f(i]') ~ 77 x t. 
We then have r]' G and f(i]') ^ P2, which contradicts assumption (ii). 

This proof can be extended to the case where Si is replaced by any 
specification obtained from it by adding a history variable. We just 
replace t] with any behavior allowed by that simulates it, and replace T]i 
with an initial prefix of this new r]. Thus, first adding a history variable still 
does not allow one to construct the refinement mapping. 

The problem with specification S2 is that 77 X t is not in P2 even though 
np(?7 X t) is in O2 and any finite portion of 77 X t is the same as the cor- 
responding portion of some behavior r]i X t in P2. The sequence 77 X t is 
not in P2 even though we cannot tell that it isn't by looking either at its 
externally visible component or at any finite part of the complete behavior. 
To rule out this possibility, we must add to our completeness theorem the 
hypothesis that P2 is internally continuous. 

Definition 2 A T,-property P with induced externally visible property O 
is internally continuous ijf, for any T,-behavior a, if np((T) G O and a G 
P, then a £ P. A specification is internally continuous iff the (complete) 
property it defines is internally continuous. 
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Suppose P = M f] L and M = P. Then lim ai = a for Ui G P iff 
a G M. It follows from this that, for a machine- closed specification, internal 
continuity is equivalent to the condition that a complete behavior is allowed 
iff it is generated by the state machine and its externally visible component 
is allowed. In particular, safety properties are internally continuous. 

Since the machine property M is closed, if lim cTj- = a for cTj- G M fl i, 
then (TGiiffcrGMni. This implies that if L is internally continuous, 
then M n i is internally continuous. Hence, for any specification, if the 
supplementary property is internally continuous, then the specification is 
internally continuous. The converse is not true, since if M is the empty 
property, then M fl i is internally continuous for any L. 

Any specification can be made internally continuous by adding to L all 
sequences ci in M such that n^((T) G O. Expanding L in this way obvi- 
ously adds no new externally visible behaviors, so the resulting specification 
is equivalent to the original one. The expansion could introduce infinite 
internal nondeterminism, but not if M is fin. 

7 The Completeness Theorem 

We can now prove our main result. 

Theorem 2 (Completeness) If the machine-closed specification Si im- 
plements the internally continuous, fin specification S2, then there is a spec- 
ification obtained from Si by adding a history variable and a specification 
S^^ obtained from by adding a prophecy variable such that there exists 
a refinement mapping from S^^ to S2. 

Proof of Theorem 2 

Given: Al. For i = 1,2: S; = (T,i, Fi, Ni, Li), Mi is the machine property 
of S;, P, = M, n U, and = T{IlE{Pi)). 
A2. Oi C 02- 
A3. Si is machine closed. 
A4. S2 is fin. 

A5. S2 is internally continuous. 
Prove: CI. There exist specifications and S^^ such that: 

Cla. S^ is obtained from Si by adding a history variable. 
Clb. S^^ is obt ained from by adding a prophecy variable. 
Clc. There exists a refinement mapping / from S^^ to S2. 
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Pf: 1. Let equal (S^, F/', iV/', i^), where 

• = {[last[a\n),cr\n) : ra > 0 and a G Pi}. (The history 
component h of any state (s, h) is a finite prefix of a behavior 
in Pi that ends in state s.) 

. Fi^ = {{s,h)e^'l:\\h\\ = l}. 

• = (s',/i')> G X : /i' = /i • {{s'))}. (A step of 
S]"s state machine simulates a step of Si's state machine and 
adds the new state to the history component.) 

• L'I = n™(Pi). (As required by H5.) 
Then Cla holds. 

Pf: 1.1. HI, H3, and H5 hold. 

Pf: Follows immediately from the definition of S^^. 

1.2. n[^](p^) c Pi. 

Pf: Immediate from the definition of F^. 

1.3. Pi c n[^](p^) 

Pf: For any s G Pi, the sequence ((s, s, s, . . .)) G Mi. Therefore, 
A3 and Lemma 1 imply that ((s)) is a prefix of a behavior 
in Pi, so (s, {{s))) G P/' and s = II[h]{{s, {{s)))). 

1.4. H2 holds. 

Pf: 1.2 and 1.3. 

1.5. H4 holds. 

Pf: For any (s, s') G Ai and (s, /i) G S^, let /i' = /i . ((s')). Then 
A3 and Lemma 1 imply that h' is the prefix of a behavior in 
Pi, so {s',h') G by definition of S^, and {{s,h),{s',h')) G 
by definition of A/'. 
2. Let S^P equal (S^^ P/'^ A^''^ P^*'), where 

• 1^1^ equals the set of triples (s, /i, l]((T|m)) with {s,h) G S^, 
(7 G P2, m > 0, and n^((T|m) — n^(/i), where we write (s,h,p) 
instead of ((s,h),p). (The prophecy component p of (s,h,p) is 
an initial stutter-free prefix of a behavior in P2 such that p and 
/i are externally equivalent.) 

• F^'" = {(s,h,p) G S'^f : (s,/i) G P/' and ||p|| = 1}. (Note that 
this implies s G Pi and p = {{t)) with t £ F2.) 

• A;^''' is the set of pairs {[s,h,p), [s',h',p')) in S^'' X S^'' such 
that either 

(a) p' = p ■ {{last(p'))) and either {(s,h),(s',h')) G A^" or 
(s, /i) = (s', h'), or 
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(b) p' = p and ((s, /i), (s', /i')> G N^. 

(A step of S^^'s state machine either increases the length of 
the prophecy component by one and simulates a [possibly stut- 
tering] step of S]"s state machine, or else leaves the prophecy 
component unchanged and simulates a nonstuttering step of 
S]"s state machine.) 
• = nr^j(ii). (As required by P5.) 
Then Clb holds. 
Pf: 2.1. PI, P3, and P5 hold. 

Pf: Immediate from the definition of S^^. 

2.2. Il[p](F^P) C F^. 

Pf: Immediate from the definitions of F^^ and Fi. 

2.3. For all (s, h,p) G Il^p^{F^) there exist po,Pi, • • • = P such that 

{s,h,po) e F^^ and, for 0 < i < n, {{s,h,pi), {s,h,p,+i)) G N^^ . 
Pf: 2.3.1. Let (s, G njp^j(F/'), and let p = ((^o, ^i, • • • , Then 

h = {{s)) and IlEip) ~ HeHs))). 

Pf: By definitions of F^ and S^''. 

2.3.2. Let p, = {{to, . ..,t,)). Then IlE{p^) ~ IlE{h). 
Pf: By 2.3.1. 

2.3.3. (s,h,po) G F/'^ and G A^'^*' for 0 < 
i < n. 

Pf: By 2.3.2 and the definitions of F^^ and A^'"''. 

2.4. P2 holds. 

Pf: By 2.2 and 2.3. 

2.5. P4 holds. 

Given: A2.5.1. (s',/i')> G A^^ and {s',h',p') G S^''. 

Prove: C2.5.1. There exist p, p'q, = p' in Sp such 

that {(s,h,p), (s',h',p'Q)) G A^'' and, for 0 < i < ra, 

{{s',h',p'i),{s',h',p[^,))eN^^. 

Pf: 2.5.1. p' = l](o-|m) for some ci G P2, and n£;(p') ~ IlE{h'). 
Pf: By A2.5.1 and the definition of T.'l^ . 

2.5.2. h' = h-{{s')). 

Pf: By A2.5.1 {{{s,h),{s',h')) G A/') and the definition 
of A^ 

2.5.3. Let p be the longest prefix of p' such that np(p) ~ np(/i). 
Pf: The existence of p follows from 2.5.1 and 2.5.2. 

2.5.4. p' = p • ((^0, • • • , tn)) where IlEiti) ~ n£;(s') for 0 < i < ra. 
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Pf: By 2.5.3, 2.5.1, and 2.5.2. 

2.5.5. Let p[ = p-{{to,...,t,)). Then {s',h',p'i) G T.'l^ for 0 < i < 
n. 

Pf: By 2.5.4 and 2.5.1, we have IIe{p[) ~ IlE{h'). The 
result then follows from the definition of ^i^, since 
A2.5.1 implies {s',h') G S^. 

2.5.6. C2.5.1 holds. 

Pf: FoHows easily from 2.5.5, 2.5.1, and the definition of 

2.6. P6 holds. 

Given: A2.6.1. {s,h) G S^. 

Prove: C2.6.1. {p : {s,h,p) G S^''} is finite. 

C2.6.2. There exists p G Sp such that [s,h,p) G ^i^. 
Pf: 2.6.1. Choose tp £ Pi such that h = tjj\n, and let r] = JIeU^)- 
Pf: ip exists by A2.6.1 and the definition of S^. 

2.6.2. C2.6.1 holds. 

Pf: By definition of S^'' and rj (in 2.6.1), A4, and Defini- 
tion 1. 

2.6.3. Choose a £ P2 such that IIe((t) ~ rj. 

Pf: Such a a exists since 77 G Oi (by 2.6.1) and Oi C O2 
(by A2). 

2.6.4. C2.6.2 holds. 

Pf: By 2.6.3 and the definition of r] (in 2.6.1), we can 
choose m such that np((T|m) — np(/i). Let p = 
i{{<j\fn)- The definition of S^'' implies that [s,h,p) G 

3. Define / : Ti^^ S2 by /((s, h,p)) = last(p). Then / is a refinement 
mapping. 

Pf: 3.1. / satisfies Rl. 

Pf: By definition of S^'', if (s,/i,p) G S^'' then (s,/i) G 

and np(p) ~ np(/i). But (s,/i) G implies s = last(h) 
(by definition of Si), so IIe{p) — np(/i) implies IIe{s) = 
IlEilast(p)). 

3.2. / satisfies R2. 

Pf: By definition of F^^ , its elements are of the form (s, 
{{s)), {{t))) where t G F2, so /((s, {{s)), {{t)))) = t e F^. 

3.3. / satisfies R3. 

Given: A3.3.1. ((s,/i,p), (s',/i',p')> ^ A^'"''. 
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Prove: C3.3.1. {last(p), last(p')) G N2 or last(p) = last(p'). 

Pf: By definition of N^^ , A3. 3.1 implies p' = {{to, . . . ,tn)) for 
some infinite sequence {{to,ti, . . .)) G P2, and either p = p' , 
in which case C3.3.1 is immediate, or p = {{to, . . . ,tn-i)) ■ 
In the latter case, we must prove {tn-i,tn) G However, 
this follows immediately from the fact that {{to,ti, . . .)) G 
P2 C M2 and the definition of the machine property of a 
specification. 
3.4. / satisfies R4. 

Given: A3.4.1. r = (((sq, /io,Po), • • •» G Pi^ ■ 

Prove: C3.4.1. /(r) = {{la.st(po), last{pi), . . .)) G L2. 

Pf: 3.4.1. Let a = {{so, si, . . .». Then IlE{a) = IIe{t). 

Pf: Follows immediately from Rl (by 3.1). 

3.4.2. IIe{(t) G Oi. 

Pf: Cla (proved in 1), Clb (proved in 2), and Proposi- 
tions 4 and 5 imply that n^(r) G Oi, so 3.4.2 follows 
from 3.4.1. 

3.4.3. For all n > 0, /(r)U ~ 

Pf: By A3.4.1, {{s,,h„pi), {s,+i,h,+i,p,+i)) G N^^ or 
{s,,h„Pi) = (s^+i,/i^+i,p^+i) for all i > 0. By def- 
inition of N^^ , this implies pi^i = pi or pi^i = 
Pi ■ {{last(pi))) for all i. A simple induction proof then 
shows that p„ ~ {{last(po), ■ ■ ., last(pn))). 

3.4.4. For all ra > 0 there exists tpn G P2 such that ipn\n = fiT)\n- 
Pf: By definition of ^i^, there exists a sequence (f)n such 

that Pn ■ (t>n ^ P2- Let = /(r)|„ • By 3.4.3, 

■^n'^Pn- 4>n, SO Ipn IS in P2 . 

3.4.5. C3.4.1 holds. 

Pf: 3.4.4 implies that lim t/^^ = /(t) and t/^^ G P2- By 
3.4.1, 3.4.2, Rl (proved in 3.1), and A2, we have 
^e{J{t)) G 02- Since S2 is internally continuous 
(by A5) and the ip^ are in P2 (by 3.4.4), Definition 2 
implies that /(t) G P2- This proves C3.4.1, since 
P2 C i2 (by Al). 

End Proof of Theorem 2 

The converse of this completeness theorem is not true. For instance, no 
matter how pathological a specification is, we can use the identity refinement 
mapping to prove that it implements itself. 
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The hypotheses of the internal continuity and finite invisible nondeter- 
minism of S2 can be removed from our completeness theorem by general- 
izing the definition of a prophecy variable — namely, by replacing condition 
P6 with the explicit requirement that the externally visible behaviors of SP 
be the same as those of S. This result is proved by defining as in the 

proof of Theorem 2, and defining S^^ such that 

• S^'' is the set of 4-tuples (s,/i,ra,r) with {s,h) G S^, t G P2, and 

IlE{h) ~ IlE{T\n). 

• F^^ is the set of all states of the form (s, h, 1, r). 

• N^^ is the set of pairs ((s, h, n, r), (s', h', ra + 1, r)) with either ((s, h), 
{s',h')) G or {s,h) = {s',h'). 

• The refinement mapping is defined by letting /((s, h, n, r)) be the ra*^ 
element of r. 

However, the condition that replaces P6 asserts that specification SP im- 
plements S, which is precisely the type of condition we are trying to prove 
in the first place. This generalization of Theorem 2 is therefore of little 
practical value, so we will not bother to state it and prove it formally. 

There is one simple way to strengthen the completeness theorem that 
is of some interest. The specification S2 is fin and internally continuous 
iff the property P2 that it defines is fin and internally continuous. We can 
weaken the hypothesis by requiring only that there exist a fin and internally 
continuous property P2 contained in P2 that induces the same externally- 
visible property as P2. Let 83 be the specification obtained from S2 by 
replacing P2 with P2 H P2. The correctness of this result follows easily from 
Theorem 2 by replacing S2 with 83. 

8 Whence and Whither? 

Refinement mappings are not new. They form the basis of the methods 
advocated by Lam and Shankar [LS84] and by us [Lam83], and they are 
used by Lynch and Tuttle [LT87] to prove that one automaton implements 
another. However, none of this work addresses the issue of completeness. 
Jonsson [Jon87] and Stark [Sta88] did prove completeness results similar to 
ours, but for smaller classes of specifications. 
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Complete methods for checking that a program implements a specifica- 
tion, without constructing refinement mappings, have been developed. Some 
of the most general are those of Alpern and Schneider [AS87], Manna and 
Pnueli [MP87], and Vardi [Var87]. Their methods differ from our approach 
in at least two important ways: 

• They do not consider behaviors with different amounts of "stutter- 
ing" to be equivalent, so their definition of what constitutes a correct 
implementation is weaker than ours. 

• They require constructing the negation of specifications. In practice, 
the negation of a specification may be hard to find and hard to under- 
stand. 

Because of these differences, the methods may not offer practical alternatives 
to the use of refinement mappings for proving correctness. 

Our exposition has been purely semantic. We have considered specifi- 
cations, but not the languages in which they are expressed. We proved the 
existence of refinement mappings, but said nothing about whether they are 
expressible in any language. We do not know what languages can describe 
the necessary auxiliary variables and resulting refinement mappings. 

Our results also raise the question of what properties can be described 
by specifications that are fin and internally continuous. If the specifica- 
tion language is expressive enough, then all properties can be defined by 
specifications without internal state, which are trivially fin and internally 
continuous. At the other extreme, one can easily invent artificially impov- 
erished languages that do not allow any fin or internally continuous specifi- 
cations. The question becomes interesting only for interesting specification 
languages, such as various forms of temporal logic. In addition, recall that 
the hypotheses of our completeness theorem can be weakened by requiring 
only that S2's complete property be equivalent to a fin and internally contin- 
uous subproperty. This raises the more general question of what expressible 
properties have equivalent fin and continuous subproperties. 
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Glossary /Index of Notations and Conventions 

e The externally visible component of a state, 7 

/ A refinement mapping, 11 

h A history variable, 20 

p A prophecy variable, 22 

s, t States, 7 

y, z Internal components of states, 7 

F The set of initial states of a state machine, 9 

L A supplementary property, 9 

M A property, usually generated by a state machine, 9 

N The next-state relation of a state machine, 9 

O An externally visible property, 8 

P A complete property, 8 

S A set — typically a set of sequences, 7 

S A specification, 9 

S, T], 9 Externally visible behaviors, 8 

p, (7, r, if) Sequences, usually representing complete behaviors, 8 

Ta The set of all behaviors equivalent to a up to stuttering, 7 

r^* The set of all behaviors equivalent to behaviors in S up to stutter- 
ing, 7 

The projection from states onto their external components, 7 
^[X] The projection from states that eliminates the X component, 20 
S A set of states, 7 
TiE A set of externally visible states, 7 
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S/ A set of internal states, 7 

S'^ The set of all infinite sequences of elements of S, 7 

((si,S2, . . .)) The sequence whose first element is si, whose second element 
is S2, etc., 1 

1](T The stutter-free form of ci, 6 

~ Equivalence of sequences up to stuttering, 7 

a ■ T The concatenation of the sequences a and r, 7 

a\m The prefix of sequence a of length m, 7 

{s,t) A pair of states that is an element of the next-state relation of a 
state machine, 9 

S The closure of the set S , 7 
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